Analysis Report u4nCZtpsbeihgbe.exe

Overview

General Information

Sample Name:	u4nCZtpsbeihgbe.exe
Analysis ID:	358395
MD5:	cc5a26619d9ccedd6ee0b4972b08db46
SHA1:	e185e3b1c9525d988f2efa32285f46e2d7cd675f
SHA256:	926c237123af4acecbbbde443fea178a40983df81beb3e06c656c59684bf370c
Tags:	AgentTeslaexe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Antivirus or Machine Learning detection for unpacked file

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Found malware configuration

Source: 15.2.UTCCf.exe.3a4e990.1.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "FTP Info": "info@indiaflanges.comdvdxq;nx{(MV5@mmail.indiaflanges.com"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe

ReversingLabs: Detection: 22%

Multi AV Scanner detection for submitted file

Source: u4nCZtpsbeihgbe.exe

ReversingLabs: Detection: 22%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: u4nCZtpsbeihgbe.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 6.2.u4nCZtpsbeihgbe.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 18.2.UTCCf.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 22.2.UTCCf.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: u4nCZtpsbeihgbe.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: u4nCZtpsbeihgbe.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmp, UTCCf.exe, 00000012.00000002.430666178.0000000003211000.00000004.00000001.sdmp, UTCCf.exe, 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmp, u4nCZtpsbeihgbe.exe, 00000006.00000002.491691762.00000000035B6000.00000004.00000001.sdmp, u4nCZtpsbeihgbe.exe, 00000006.00000002.491758882.00000000035BE000.00000004.00000001.sdmp	String found in binary or memory: http://5XSOtKxpbh4CX.org
Source: UTCCf.exe, 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.491537812.0000000003592000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.496288481.0000000006E69000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.491537812.0000000003592000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.491537812.0000000003592000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: UTCCf.exe, 00000010.00000002.425351707.0000000000D93000.00000004.00000020.sdmp	String found in binary or memory: http://go.mic
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.491537812.0000000003592000.00000004.00000001.sdmp	String found in binary or memory: http://indiaflanges.com
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.491537812.0000000003592000.00000004.00000001.sdmp	String found in binary or memory: http://mail.indiaflanges.com
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.491537812.0000000003592000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: UTCCf.exe, 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmp	String found in binary or memory: http://rlPXNy.com
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: UTCCf.exe, 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.491537812.0000000003592000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.279078247.00000000041B9000.00000004.00000001.sdmp, u4nCZtpsbeihgbe.exe, 00000006.00000002.479681769.0000000000402000.00000040.00000001.sdmp, UTCCf.exe, 0000000F.00000002.397074520.0000000003939000.00000004.00000001.sdmp, UTCCf.exe, 00000010.00000002.430420899.0000000003979000.00000004.00000001.sdmp, UTCCf.exe, 00000012.00000002.427887862.0000000000402000.00000040.00000001.sdmp, UTCCf.exe, 00000016.00000002.479863596.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmp, UTCCf.exe, 00000012.00000002.430666178.0000000003211000.00000004.00000001.sdmp, UTCCf.exe, 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: UTCCf.exe, 0000000F.00000002.393131917.0000000000D28000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Source: 6.2.u4nCZtpsbeihgbe.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE5200965u002d7E04u002d4669u002dB283u002d124A998C0C6Fu007d/u0034DB0973Cu002d71C6u002d4E39u002dAFCBu002d0D7584BBC7A5.cs	Large array initialization: .cctor: array initializer size 11928
Source: 18.2.UTCCf.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE5200965u002d7E04u002d4669u002dB283u002d124A998C0C6Fu007d/u0034DB0973Cu002d71C6u002d4E39u002dAFCBu002d0D7584BBC7A5.cs	Large array initialization: .cctor: array initializer size 11928

Detected potential crypto function

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_00DB2050	1_2_00DB2050
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_00DBABC3	1_2_00DBABC3
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_00DB8AC7	1_2_00DB8AC7
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_00DB2AEA	1_2_00DB2AEA
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_00DB9BA3	1_2_00DB9BA3
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_0178D4DC	1_2_0178D4DC
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_077B2E6D	1_2_077B2E6D
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_077B06A6	1_2_077B06A6
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_077B6DE0	1_2_077B6DE0
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_077B0C32	1_2_077B0C32
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_092AC530	1_2_092AC530
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_092AA948	1_2_092AA948
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_092A0040	1_2_092A0040
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_092A3780	1_2_092A3780
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_092AC522	1_2_092AC522
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_092A4969	1_2_092A4969
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_092A4978	1_2_092A4978
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_092A4728	1_2_092A4728
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_00DB2D32	1_2_00DB2D32
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_00F19BA3	6_2_00F19BA3
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_00F12AEA	6_2_00F12AEA
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_00F12050	6_2_00F12050
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_00F1ABC3	6_2_00F1ABC3
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_00F18AC7	6_2_00F18AC7
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_015F46A0	6_2_015F46A0
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_015F35C4	6_2_015F35C4
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_015F4618	6_2_015F4618
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_015F5390	6_2_015F5390
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_015FDA01	6_2_015FDA01
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_01746120	6_2_01746120
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_01746858	6_2_01746858
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_01745AE8	6_2_01745AE8
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_00F12D32	6_2_00F12D32
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_004D8AC7	15_2_004D8AC7
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_004DABC3	15_2_004DABC3
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_004D2050	15_2_004D2050
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_004D2AEA	15_2_004D2AEA
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_004D9BA3	15_2_004D9BA3
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_00F4D4DC	15_2_00F4D4DC
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_06C706A6	15_2_06C706A6
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_06C72E6D	15_2_06C72E6D
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_06C70C32	15_2_06C70C32
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_06C76DE0	15_2_06C76DE0
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_08290040	15_2_08290040
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_0829C530	15_2_0829C530
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_0829A948	15_2_0829A948
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_08293780	15_2_08293780
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_0829C522	15_2_0829C522
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_08294969	15_2_08294969
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_08294978	15_2_08294978
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_082932B0	15_2_082932B0
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_082966B5	15_2_082966B5
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_08294728	15_2_08294728
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_08294717	15_2_08294717
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_004D2D32	15_2_004D2D32
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_00562050	16_2_00562050
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_00568AC7	16_2_00568AC7
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_0056ABC3	16_2_0056ABC3
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_00569BA3	16_2_00569BA3
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_00562AEA	16_2_00562AEA
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_00D3D4DC	16_2_00D3D4DC
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_06BD3780	16_2_06BD3780
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_06BDC530	16_2_06BDC530
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_06BD2113	16_2_06BD2113
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_06BD2C30	16_2_06BD2C30
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_06BDA948	16_2_06BDA948
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_06BD66B5	16_2_06BD66B5
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_06BD4728	16_2_06BD4728
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_06BD4717	16_2_06BD4717
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_06BD4978	16_2_06BD4978
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_06BD4969	16_2_06BD4969
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_00562D32	16_2_00562D32
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 18_2_00B59BA3	18_2_00B59BA3
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 18_2_00B52AEA	18_2_00B52AEA
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 18_2_00B52050	18_2_00B52050
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 18_2_00B58AC7	18_2_00B58AC7
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 18_2_00B5ABC3	18_2_00B5ABC3
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 18_2_015546A0	18_2_015546A0
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 18_2_015545B0	18_2_015545B0
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 18_2_0155DA01	18_2_0155DA01
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 18_2_00B52D32	18_2_00B52D32

PE file contains strange resources

Source: u4nCZtpsbeihgbe.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UTCCf.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: u4nCZtpsbeihgbe.exe	Binary or memory string: OriginalFilename vs u4nCZtpsbeihgbe.exe
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.279078247.00000000041B9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamenXElHhxtxWCmccBastwMdhHRj.exe4 vs u4nCZtpsbeihgbe.exe
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.275179968.0000000000DB2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename6Q vs u4nCZtpsbeihgbe.exe
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.287818468.0000000009130000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs u4nCZtpsbeihgbe.exe
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.287774249.00000000090C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs u4nCZtpsbeihgbe.exe
Source: u4nCZtpsbeihgbe.exe	Binary or memory string: OriginalFilename vs u4nCZtpsbeihgbe.exe
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.486634861.0000000001730000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs u4nCZtpsbeihgbe.exe
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.486612263.0000000001720000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs u4nCZtpsbeihgbe.exe
Source: u4nCZtpsbeihgbe.exe, 00000006.00000000.274159733.0000000000F12000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename6Q vs u4nCZtpsbeihgbe.exe
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.485302007.0000000001619000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs u4nCZtpsbeihgbe.exe
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.479681769.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamenXElHhxtxWCmccBastwMdhHRj.exe4 vs u4nCZtpsbeihgbe.exe
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.486700802.0000000001890000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs u4nCZtpsbeihgbe.exe
Source: u4nCZtpsbeihgbe.exe	Binary or memory string: OriginalFilename6Q vs u4nCZtpsbeihgbe.exe

Uses 32bit PE files

Source: u4nCZtpsbeihgbe.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: u4nCZtpsbeihgbe.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UTCCf.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 6.2.u4nCZtpsbeihgbe.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.2.u4nCZtpsbeihgbe.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 18.2.UTCCf.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 18.2.UTCCf.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/4@0/0

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\u4nCZtpsbeihgbe.exe.log

Jump to behavior

Source: u4nCZtpsbeihgbe.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: u4nCZtpsbeihgbe.exe

ReversingLabs: Detection: 22%

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe

File read: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe 'C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe'
Source: unknown	Process created: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe 'C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe 'C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process created: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: u4nCZtpsbeihgbe.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: u4nCZtpsbeihgbe.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Source: u4nCZtpsbeihgbe.exe, StudentStudio/MainForm.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.u4nCZtpsbeihgbe.exe.db0000.0.unpack, StudentStudio/MainForm.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.u4nCZtpsbeihgbe.exe.db0000.0.unpack, StudentStudio/MainForm.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: UTCCf.exe.6.dr, StudentStudio/MainForm.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.u4nCZtpsbeihgbe.exe.f10000.0.unpack, StudentStudio/MainForm.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.u4nCZtpsbeihgbe.exe.f10000.1.unpack, StudentStudio/MainForm.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.UTCCf.exe.4d0000.0.unpack, StudentStudio/MainForm.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.UTCCf.exe.4d0000.0.unpack, StudentStudio/MainForm.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.UTCCf.exe.560000.0.unpack, StudentStudio/MainForm.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.UTCCf.exe.560000.0.unpack, StudentStudio/MainForm.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_077B7765 push FFFFFF8Bh; iretd	1_2_077B7767
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_015FCD51 push esp; iretd	6_2_015FCD5D
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_0174B53F push edi; retn 0000h	6_2_0174B541
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_06C77765 push FFFFFF8Bh; iretd	15_2_06C77767
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_06C71C51 push es; retf	15_2_06C71C58
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_00D38638 push 1400FF8Fh; ret	16_2_00D3863D
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 18_2_0155CD51 push esp; iretd	18_2_0155CD5D

Source: initial sample	Static PE information: section name: .text entropy: 7.89057728197
Source: initial sample	Static PE information: section name: .text entropy: 7.89057728197

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe

File created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe

Jump to dropped file

Boot Survival:

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run UTCCf			Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run UTCCf			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe

File opened: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Window / User API: threadDelayed 2100	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Window / User API: threadDelayed 7706	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Window / User API: threadDelayed 2771	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Window / User API: threadDelayed 5556	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Window / User API: threadDelayed 1750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Window / User API: threadDelayed 3929	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe TID: 5920	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe TID: 6796	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe TID: 6800	Thread sleep count: 2100 > 30	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe TID: 6800	Thread sleep count: 7706 > 30	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe TID: 6796	Thread sleep count: 50 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe TID: 7012	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe TID: 7048	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe TID: 6312	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe TID: 6316	Thread sleep count: 2771 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe TID: 6316	Thread sleep count: 5556 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe TID: 5044	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe TID: 5024	Thread sleep count: 1750 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe TID: 5024	Thread sleep count: 3929 > 30	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Last function: Thread delayed

Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.496258061.0000000006E20000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Memory written: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Memory written: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe base: 400000 value starts with: 4D5A			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process created: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}	Jump to behavior

Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.487162320.0000000001CF0000.00000002.00000001.sdmp, UTCCf.exe, 00000016.00000002.485378915.0000000001BD0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.487162320.0000000001CF0000.00000002.00000001.sdmp, UTCCf.exe, 00000016.00000002.485378915.0000000001BD0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.487162320.0000000001CF0000.00000002.00000001.sdmp, UTCCf.exe, 00000016.00000002.485378915.0000000001BD0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.487162320.0000000001CF0000.00000002.00000001.sdmp, UTCCf.exe, 00000016.00000002.485378915.0000000001BD0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000001.00000002.279078247.00000000041B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.430666178.0000000003211000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.479863596.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.427887862.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.479681769.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.430420899.0000000003979000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.397074520.0000000003939000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UTCCf.exe PID: 1288, type: MEMORY
Source: Yara match	File source: Process Memory Space: UTCCf.exe PID: 7028, type: MEMORY
Source: Yara match	File source: Process Memory Space: u4nCZtpsbeihgbe.exe PID: 5932, type: MEMORY
Source: Yara match	File source: Process Memory Space: UTCCf.exe PID: 4944, type: MEMORY
Source: Yara match	File source: Process Memory Space: u4nCZtpsbeihgbe.exe PID: 5536, type: MEMORY
Source: Yara match	File source: Process Memory Space: UTCCf.exe PID: 6984, type: MEMORY
Source: Yara match	File source: 15.2.UTCCf.exe.3a4e990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.u4nCZtpsbeihgbe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.UTCCf.exe.3a8e990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.UTCCf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.UTCCf.exe.3a8e990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u4nCZtpsbeihgbe.exe.42ce990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.UTCCf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u4nCZtpsbeihgbe.exe.42ce990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.UTCCf.exe.3a4e990.1.raw.unpack, type: UNPACKEDPE

Yara detected Credential Stealer

Source: Yara match	File source: 00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.430666178.0000000003211000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UTCCf.exe PID: 1288, type: MEMORY
Source: Yara match	File source: Process Memory Space: u4nCZtpsbeihgbe.exe PID: 5932, type: MEMORY
Source: Yara match	File source: Process Memory Space: UTCCf.exe PID: 4944, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000001.00000002.279078247.00000000041B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.430666178.0000000003211000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.479863596.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.427887862.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.479681769.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.430420899.0000000003979000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.397074520.0000000003939000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UTCCf.exe PID: 1288, type: MEMORY
Source: Yara match	File source: Process Memory Space: UTCCf.exe PID: 7028, type: MEMORY
Source: Yara match	File source: Process Memory Space: u4nCZtpsbeihgbe.exe PID: 5932, type: MEMORY
Source: Yara match	File source: Process Memory Space: UTCCf.exe PID: 4944, type: MEMORY
Source: Yara match	File source: Process Memory Space: u4nCZtpsbeihgbe.exe PID: 5536, type: MEMORY
Source: Yara match	File source: Process Memory Space: UTCCf.exe PID: 6984, type: MEMORY
Source: Yara match	File source: 15.2.UTCCf.exe.3a4e990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.u4nCZtpsbeihgbe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.UTCCf.exe.3a8e990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.UTCCf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.UTCCf.exe.3a8e990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u4nCZtpsbeihgbe.exe.42ce990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.UTCCf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u4nCZtpsbeihgbe.exe.42ce990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.UTCCf.exe.3a4e990.1.raw.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Found malware configuration

Source: 15.2.UTCCf.exe.3a4e990.1.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "FTP Info": "info@indiaflanges.comdvdxq;nx{(MV5@mmail.indiaflanges.com"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe

ReversingLabs: Detection: 22%

Multi AV Scanner detection for submitted file

Source: u4nCZtpsbeihgbe.exe

ReversingLabs: Detection: 22%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: u4nCZtpsbeihgbe.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 6.2.u4nCZtpsbeihgbe.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 18.2.UTCCf.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 22.2.UTCCf.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: u4nCZtpsbeihgbe.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: u4nCZtpsbeihgbe.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmp, UTCCf.exe, 00000012.00000002.430666178.0000000003211000.00000004.00000001.sdmp, UTCCf.exe, 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmp, u4nCZtpsbeihgbe.exe, 00000006.00000002.491691762.00000000035B6000.00000004.00000001.sdmp, u4nCZtpsbeihgbe.exe, 00000006.00000002.491758882.00000000035BE000.00000004.00000001.sdmp	String found in binary or memory: http://5XSOtKxpbh4CX.org
Source: UTCCf.exe, 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.491537812.0000000003592000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.496288481.0000000006E69000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.491537812.0000000003592000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.491537812.0000000003592000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: UTCCf.exe, 00000010.00000002.425351707.0000000000D93000.00000004.00000020.sdmp	String found in binary or memory: http://go.mic
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.491537812.0000000003592000.00000004.00000001.sdmp	String found in binary or memory: http://indiaflanges.com
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.491537812.0000000003592000.00000004.00000001.sdmp	String found in binary or memory: http://mail.indiaflanges.com
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.491537812.0000000003592000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: UTCCf.exe, 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmp	String found in binary or memory: http://rlPXNy.com
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: UTCCf.exe, 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.491537812.0000000003592000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.279078247.00000000041B9000.00000004.00000001.sdmp, u4nCZtpsbeihgbe.exe, 00000006.00000002.479681769.0000000000402000.00000040.00000001.sdmp, UTCCf.exe, 0000000F.00000002.397074520.0000000003939000.00000004.00000001.sdmp, UTCCf.exe, 00000010.00000002.430420899.0000000003979000.00000004.00000001.sdmp, UTCCf.exe, 00000012.00000002.427887862.0000000000402000.00000040.00000001.sdmp, UTCCf.exe, 00000016.00000002.479863596.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmp, UTCCf.exe, 00000012.00000002.430666178.0000000003211000.00000004.00000001.sdmp, UTCCf.exe, 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: UTCCf.exe, 0000000F.00000002.393131917.0000000000D28000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Source: 6.2.u4nCZtpsbeihgbe.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE5200965u002d7E04u002d4669u002dB283u002d124A998C0C6Fu007d/u0034DB0973Cu002d71C6u002d4E39u002dAFCBu002d0D7584BBC7A5.cs	Large array initialization: .cctor: array initializer size 11928
Source: 18.2.UTCCf.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE5200965u002d7E04u002d4669u002dB283u002d124A998C0C6Fu007d/u0034DB0973Cu002d71C6u002d4E39u002dAFCBu002d0D7584BBC7A5.cs	Large array initialization: .cctor: array initializer size 11928

Detected potential crypto function

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_00DB2050	1_2_00DB2050
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_00DBABC3	1_2_00DBABC3
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_00DB8AC7	1_2_00DB8AC7
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_00DB2AEA	1_2_00DB2AEA
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_00DB9BA3	1_2_00DB9BA3
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_0178D4DC	1_2_0178D4DC
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_077B2E6D	1_2_077B2E6D
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_077B06A6	1_2_077B06A6
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_077B6DE0	1_2_077B6DE0
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_077B0C32	1_2_077B0C32
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_092AC530	1_2_092AC530
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_092AA948	1_2_092AA948
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_092A0040	1_2_092A0040
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_092A3780	1_2_092A3780
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_092AC522	1_2_092AC522
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_092A4969	1_2_092A4969
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_092A4978	1_2_092A4978
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_092A4728	1_2_092A4728
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_00DB2D32	1_2_00DB2D32
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_00F19BA3	6_2_00F19BA3
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_00F12AEA	6_2_00F12AEA
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_00F12050	6_2_00F12050
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_00F1ABC3	6_2_00F1ABC3
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_00F18AC7	6_2_00F18AC7
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_015F46A0	6_2_015F46A0
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_015F35C4	6_2_015F35C4
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_015F4618	6_2_015F4618
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_015F5390	6_2_015F5390
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_015FDA01	6_2_015FDA01
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_01746120	6_2_01746120
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_01746858	6_2_01746858
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_01745AE8	6_2_01745AE8
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_00F12D32	6_2_00F12D32
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_004D8AC7	15_2_004D8AC7
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_004DABC3	15_2_004DABC3
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_004D2050	15_2_004D2050
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_004D2AEA	15_2_004D2AEA
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_004D9BA3	15_2_004D9BA3
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_00F4D4DC	15_2_00F4D4DC
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_06C706A6	15_2_06C706A6
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_06C72E6D	15_2_06C72E6D
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_06C70C32	15_2_06C70C32
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_06C76DE0	15_2_06C76DE0
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_08290040	15_2_08290040
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_0829C530	15_2_0829C530
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_0829A948	15_2_0829A948
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_08293780	15_2_08293780
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_0829C522	15_2_0829C522
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_08294969	15_2_08294969
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_08294978	15_2_08294978
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_082932B0	15_2_082932B0
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_082966B5	15_2_082966B5
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_08294728	15_2_08294728
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_08294717	15_2_08294717
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_004D2D32	15_2_004D2D32
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_00562050	16_2_00562050
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_00568AC7	16_2_00568AC7
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_0056ABC3	16_2_0056ABC3
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_00569BA3	16_2_00569BA3
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_00562AEA	16_2_00562AEA
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_00D3D4DC	16_2_00D3D4DC
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_06BD3780	16_2_06BD3780
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_06BDC530	16_2_06BDC530
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_06BD2113	16_2_06BD2113
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_06BD2C30	16_2_06BD2C30
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_06BDA948	16_2_06BDA948
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_06BD66B5	16_2_06BD66B5
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_06BD4728	16_2_06BD4728
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_06BD4717	16_2_06BD4717
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_06BD4978	16_2_06BD4978
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_06BD4969	16_2_06BD4969
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_00562D32	16_2_00562D32
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 18_2_00B59BA3	18_2_00B59BA3
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 18_2_00B52AEA	18_2_00B52AEA
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 18_2_00B52050	18_2_00B52050
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 18_2_00B58AC7	18_2_00B58AC7
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 18_2_00B5ABC3	18_2_00B5ABC3
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 18_2_015546A0	18_2_015546A0
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 18_2_015545B0	18_2_015545B0
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 18_2_0155DA01	18_2_0155DA01
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 18_2_00B52D32	18_2_00B52D32

PE file contains strange resources

Source: u4nCZtpsbeihgbe.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UTCCf.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: u4nCZtpsbeihgbe.exe	Binary or memory string: OriginalFilename vs u4nCZtpsbeihgbe.exe
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.279078247.00000000041B9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamenXElHhxtxWCmccBastwMdhHRj.exe4 vs u4nCZtpsbeihgbe.exe
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.275179968.0000000000DB2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename6Q vs u4nCZtpsbeihgbe.exe
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.287818468.0000000009130000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs u4nCZtpsbeihgbe.exe
Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.287774249.00000000090C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs u4nCZtpsbeihgbe.exe
Source: u4nCZtpsbeihgbe.exe	Binary or memory string: OriginalFilename vs u4nCZtpsbeihgbe.exe
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.486634861.0000000001730000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs u4nCZtpsbeihgbe.exe
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.486612263.0000000001720000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs u4nCZtpsbeihgbe.exe
Source: u4nCZtpsbeihgbe.exe, 00000006.00000000.274159733.0000000000F12000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename6Q vs u4nCZtpsbeihgbe.exe
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.485302007.0000000001619000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs u4nCZtpsbeihgbe.exe
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.479681769.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamenXElHhxtxWCmccBastwMdhHRj.exe4 vs u4nCZtpsbeihgbe.exe
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.486700802.0000000001890000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs u4nCZtpsbeihgbe.exe
Source: u4nCZtpsbeihgbe.exe	Binary or memory string: OriginalFilename6Q vs u4nCZtpsbeihgbe.exe

Uses 32bit PE files

Source: u4nCZtpsbeihgbe.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: u4nCZtpsbeihgbe.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UTCCf.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 6.2.u4nCZtpsbeihgbe.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.2.u4nCZtpsbeihgbe.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 18.2.UTCCf.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 18.2.UTCCf.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/4@0/0

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\u4nCZtpsbeihgbe.exe.log

Jump to behavior

Source: u4nCZtpsbeihgbe.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: u4nCZtpsbeihgbe.exe

ReversingLabs: Detection: 22%

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe

File read: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe 'C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe'
Source: unknown	Process created: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe 'C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe 'C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process created: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: u4nCZtpsbeihgbe.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: u4nCZtpsbeihgbe.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Source: u4nCZtpsbeihgbe.exe, StudentStudio/MainForm.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.u4nCZtpsbeihgbe.exe.db0000.0.unpack, StudentStudio/MainForm.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.u4nCZtpsbeihgbe.exe.db0000.0.unpack, StudentStudio/MainForm.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: UTCCf.exe.6.dr, StudentStudio/MainForm.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.u4nCZtpsbeihgbe.exe.f10000.0.unpack, StudentStudio/MainForm.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.u4nCZtpsbeihgbe.exe.f10000.1.unpack, StudentStudio/MainForm.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.UTCCf.exe.4d0000.0.unpack, StudentStudio/MainForm.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.UTCCf.exe.4d0000.0.unpack, StudentStudio/MainForm.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.UTCCf.exe.560000.0.unpack, StudentStudio/MainForm.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.UTCCf.exe.560000.0.unpack, StudentStudio/MainForm.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 1_2_077B7765 push FFFFFF8Bh; iretd	1_2_077B7767
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_015FCD51 push esp; iretd	6_2_015FCD5D
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Code function: 6_2_0174B53F push edi; retn 0000h	6_2_0174B541
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_06C77765 push FFFFFF8Bh; iretd	15_2_06C77767
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 15_2_06C71C51 push es; retf	15_2_06C71C58
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 16_2_00D38638 push 1400FF8Fh; ret	16_2_00D3863D
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Code function: 18_2_0155CD51 push esp; iretd	18_2_0155CD5D

Source: initial sample	Static PE information: section name: .text entropy: 7.89057728197
Source: initial sample	Static PE information: section name: .text entropy: 7.89057728197

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe

File created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe

Jump to dropped file

Boot Survival:

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run UTCCf			Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run UTCCf			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe

File opened: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Window / User API: threadDelayed 2100	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Window / User API: threadDelayed 7706	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Window / User API: threadDelayed 2771	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Window / User API: threadDelayed 5556	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Window / User API: threadDelayed 1750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Window / User API: threadDelayed 3929	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe TID: 5920	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe TID: 6796	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe TID: 6800	Thread sleep count: 2100 > 30	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe TID: 6800	Thread sleep count: 7706 > 30	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe TID: 6796	Thread sleep count: 50 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe TID: 7012	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe TID: 7048	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe TID: 6312	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe TID: 6316	Thread sleep count: 2771 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe TID: 6316	Thread sleep count: 5556 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe TID: 5044	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe TID: 5024	Thread sleep count: 1750 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe TID: 5024	Thread sleep count: 3929 > 30	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Last function: Thread delayed

Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.496258061.0000000006E20000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Memory written: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Memory written: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe base: 400000 value starts with: 4D5A			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Process created: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Process created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}	Jump to behavior

Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.487162320.0000000001CF0000.00000002.00000001.sdmp, UTCCf.exe, 00000016.00000002.485378915.0000000001BD0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.487162320.0000000001CF0000.00000002.00000001.sdmp, UTCCf.exe, 00000016.00000002.485378915.0000000001BD0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.487162320.0000000001CF0000.00000002.00000001.sdmp, UTCCf.exe, 00000016.00000002.485378915.0000000001BD0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.487162320.0000000001CF0000.00000002.00000001.sdmp, UTCCf.exe, 00000016.00000002.485378915.0000000001BD0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000001.00000002.279078247.00000000041B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.430666178.0000000003211000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.479863596.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.427887862.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.479681769.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.430420899.0000000003979000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.397074520.0000000003939000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UTCCf.exe PID: 1288, type: MEMORY
Source: Yara match	File source: Process Memory Space: UTCCf.exe PID: 7028, type: MEMORY
Source: Yara match	File source: Process Memory Space: u4nCZtpsbeihgbe.exe PID: 5932, type: MEMORY
Source: Yara match	File source: Process Memory Space: UTCCf.exe PID: 4944, type: MEMORY
Source: Yara match	File source: Process Memory Space: u4nCZtpsbeihgbe.exe PID: 5536, type: MEMORY
Source: Yara match	File source: Process Memory Space: UTCCf.exe PID: 6984, type: MEMORY
Source: Yara match	File source: 15.2.UTCCf.exe.3a4e990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.u4nCZtpsbeihgbe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.UTCCf.exe.3a8e990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.UTCCf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.UTCCf.exe.3a8e990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u4nCZtpsbeihgbe.exe.42ce990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.UTCCf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u4nCZtpsbeihgbe.exe.42ce990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.UTCCf.exe.3a4e990.1.raw.unpack, type: UNPACKEDPE

Yara detected Credential Stealer

Source: Yara match	File source: 00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.430666178.0000000003211000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UTCCf.exe PID: 1288, type: MEMORY
Source: Yara match	File source: Process Memory Space: u4nCZtpsbeihgbe.exe PID: 5932, type: MEMORY
Source: Yara match	File source: Process Memory Space: UTCCf.exe PID: 4944, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000001.00000002.279078247.00000000041B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.430666178.0000000003211000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.479863596.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.427887862.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.479681769.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.430420899.0000000003979000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.397074520.0000000003939000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UTCCf.exe PID: 1288, type: MEMORY
Source: Yara match	File source: Process Memory Space: UTCCf.exe PID: 7028, type: MEMORY
Source: Yara match	File source: Process Memory Space: u4nCZtpsbeihgbe.exe PID: 5932, type: MEMORY
Source: Yara match	File source: Process Memory Space: UTCCf.exe PID: 4944, type: MEMORY
Source: Yara match	File source: Process Memory Space: u4nCZtpsbeihgbe.exe PID: 5536, type: MEMORY
Source: Yara match	File source: Process Memory Space: UTCCf.exe PID: 6984, type: MEMORY
Source: Yara match	File source: 15.2.UTCCf.exe.3a4e990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.u4nCZtpsbeihgbe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.UTCCf.exe.3a8e990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.UTCCf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.UTCCf.exe.3a8e990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u4nCZtpsbeihgbe.exe.42ce990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.UTCCf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u4nCZtpsbeihgbe.exe.42ce990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.UTCCf.exe.3a4e990.1.raw.unpack, type: UNPACKEDPE

ID:	358395
Product:	CloudBasic
Start time:	15:12:25
Start date:	25.02.2021
Sample:	u4nCZtpsbeihgbe.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	cc5a26619d9ccedd6ee0b4972b08db46
SHA1:	e185e3b1c9525d988f2efa32285f46e2d7cd675f
SHA256:	926c237123af4acecbbbde443fea178a40983df81beb3e06c656c59684bf370c
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UTCCf.exe.log	ASCII text, with CRLF line terminators	FED34146BF2F2FA59DCF8702FCC8232E	B03BFEA175989D989850CF06FE5E7BBF56EAA00A	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\u4nCZtpsbeihgbe.exe.log	ASCII text, with CRLF line terminators	FED34146BF2F2FA59DCF8702FCC8232E	B03BFEA175989D989850CF06FE5E7BBF56EAA00A	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	CC5A26619D9CCEDD6EE0B4972B08DB46	E185E3B1C9525D988F2EFA32285F46E2D7CD675F	926C237123AF4ACECBBBDE443FEA178A40983DF81BEB3E06C656C59684BF370C
C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Analysis Report u4nCZtpsbeihgbe.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map